Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic Implementation of the Best Transformer Thomas Reps University of Wisconsin Joint work with M. Sagiv and G. Yorsh (Tel-Aviv) [TR-1468, Comp. Sci.

Published byAdela Owen Modified over 8 years ago

Similar presentations

Presentation on theme: "Symbolic Implementation of the Best Transformer Thomas Reps University of Wisconsin Joint work with M. Sagiv and G. Yorsh (Tel-Aviv) [TR-1468, Comp. Sci."— Presentation transcript:

1 Symbolic Implementation of the Best Transformer Thomas Reps University of Wisconsin Joint work with M. Sagiv and G. Yorsh (Tel-Aviv) [TR-1468, Comp. Sci. Dept., Univ. of Wisconsin]

2 Who Cares? New approach to using symbolic techniques in abstract interpretation –For shape analysis –For other abstract domains What does it mean to harness a decision procedure for use in static analysis?

3 Abstract Abstract Interpretation Concrete Sets of stores Descriptors of sets of stores  T#T# T   

4 Abstract Abstract Interpretation Concrete Sets of stores Descriptors of sets of stores  T#T# T   

5 Abstract Best Abstract Transformer Concrete Sets of stores Descriptors of sets of stores  T#T# T  

6 Best Abstract Transformers For each abstract domain, there is a best transformer for each program statement –Best possible precision for that abstraction For predicate-abstraction domains, implementation of best transformer is known –Uses theorem prover Our work: implement best transformers for non-predicate-abstraction domains –Also uses theorem prover

7 Symbolic Operations: Three Value-Spaces Formulas Concrete Values Abstract Values  T T 

8 Symbolic Operations: Three Value-Spaces Formulas Abstract Values  T  T#T# Concrete Values

9 Symbolic Operations: Three Value-Spaces FormulasConcrete Values Abstract Values u1u1 x u     x... x

10 Required Primitive Operations Abstraction  (S) =  s  S  (s)  ( ) = { } Symbolic concretization  ( ) =  v 1,v 2 : node u1 ( v 1 )  node u ( v 2 )  v 1 ≠ v 2   v : node u1 ( v )  node u ( v ) ... Theorem prover returning a satisfying structure (store) S   For shape analysis, SPASS is mostly satisfactory u1u1 x u x u1u1 x u

11 Constant-Propagation Domain (Var  Z T ) , where Z T = T... -2 -1 0 1 2... Examples: , [x  0, y  43, z  0], [x  T, y  T, z  0], [x  T, y  T, z  T] Infinite cardinality, but finite height

12 Three Value-Spaces Formulas Abstract Values Concrete Values [x  0, y  0, z  0] [x  0, y  1, z  0] [x  0, y  2, z  0] (x = 0)  (z = 0)  [x  0, y  T, z  0]  

13 Three Value-Spaces Formulas Abstract Values Concrete Values [x  0, y  0, z  0] [x  0, y  1, z  0] [x  0, y  2, z  0]   (x = 0)  (z = 0)

14 Required Primitive Operations Abstraction  (S) =  s  S  (s)  ([x  0, y  2, z  0]) = [x  0, y  2, z  0] Symbolic concretization  ([x  0, y  T, z  0]) = (x = 0)  (z = 0) Theorem prover returning a satisfying structure (store) S   [x  0, y  2, z  0]  (x = 0)  (z = 0)

15 Required Primitive Operations Abstraction  (S) =  s  S  (s)  ([x  0, y  2, z  0]) = [x  0, y  2, z  0] Symbolic concretization  ([x  0, y  T, z  0]) = (x = 0)  (z = 0) Theorem prover returning a satisfying structure (store) S   [x  0, y  2, z  0]  (z = 0)  (x = y*z)

16 Constant Propagation x = y * z [x  3, y  4, z  1] [x ’  4, y ’  4, z ’  1] T[x = y * z] λe.e[x  e(y)*e(z)] T[x := y*z] = df (x ’ = y * z)  (y ’ = y)  (z ’ = z)  (x ’ = y * z)  (y ’ = y)  (z ’ = z) [x  3, y  4, z  1, x ’  4, y ’  4, z ’  1]

17 Constant Propagation x = y * z [x  3, y  T, z  1] [x’  T, y’  T, z’  1] T # [x = y * z] λ e. e [ x  e(y)  # e(z)]

18 Constant Propagation Startx = 3 if... z = 2 y = x y = z+1 printf(y)  λe.λe. λ e. e [ x  3] λe.eλe.e λe.eλe.e λ e. e [ z  2] λ e. e [ y  e(x)] λ e. e [ y  e(z)+ # 1]      

19 Constant Propagation Startx = 3 if... z = 2 y = x y = z+1 printf(y)  λe.λe. λ e. e [ x  3] λe.eλe.e λe.eλe.e λ e. e [ z  2] λ e. e [ y  e(x)] λ e. e [ y  e(z)+ # 1]       [ x  T, y  T, z  T ] [ x  3, y  T, z  T ] [ x  3, y  T, z  2 ] [ x  3, y  3, z  2 ] [ x  3, y  3, z  T ]

20 Abstract Transformer T # [ x := y*z ] [x  T, y  T, z  0] {[x  3, y  3, z  0], [x  7, y  2, z  0]} [x  T, y  T, z  0]  [x  0, y  T, z  0] {[x  0, y  3, z  0], [x  0, y  2, z  0]} T[ x := y*z ]  

21 Best Abstract Transformer [x  T, y  T, z  0] {[x  0, y  0, z  0], [x  1, y  0, z  0],... [x  0, y  1, z  0], [x  1, y  1, z  0],...} [x  0, y  T, z  0] {[x  0, y  0, z  0], [x  0, y  1, z  0],...} T[ x := y*z ]  

22 Three Value-Spaces Formulas Abstract Values Concrete Values (z = 0) [x’  0,y’  T,z’  0] α (x ’ = 0)  (z ’ = 0) T[x := y*z] αT αT [x  T,y  T,z  0] 

23 Remainder of the Talk  (  ) – best abstract value that represents  Best =  T   – best abstract transformer

24 Idea Behind Procedure  CP (  )  FormulasConcrete Values Abstract Values  ans 

25 Idea Behind Procedure  CP (  )  FormulasConcrete Values Abstract Values S  S   S  (S)(S)  ans

26 Idea Behind Procedure  CP (  )  FormulasConcrete Values Abstract Values S  S   S  (S)(S)   ( ans )      ( ans )    ( ans )  ans

27 Idea Behind Procedure  CP (  ) 11 FormulasConcrete Values Abstract Values S 11  ( ans )    1   ( ans )    ( ans )  S  1S  1 ans  (S)(S)

28 Idea Behind Procedure  CP (  ) 22 FormulasConcrete Values Abstract Values 22 S  2S  2 S  (S)(S) ans  2 =  1   ( ans )

29   ( ans )  S  2S  2 Idea Behind Procedure  CP (  ) 22 FormulasConcrete Values Abstract Values 22   2   ( ans )  S  (S)(S) ans  ( ans ) 

30 Idea Behind Procedure  CP (  )  5 = false FormulasConcrete Values Abstract Values ans  ( ans )   ( ans ) ,  ( ans )  

31 Procedure   (formula  ) { ans :=   :=  while (  is satisfiable) { Select a store S such that S   ans := ans   (S)  :=    (ans) } return ans }

32 Example:  CP ((y = 3)  (x = 4*y + 1)) Initialization: ans :=   := (y = 3)  (x = 4*y + 1) Iteration 1: S := [x  13, y  3] // A satisfying store ans :=    ([x  13, y  3]) = [x  13, y  3]  (ans) = (x = 13)  (y = 3)  := (y = 3)  (x = 4*y + 1)   ((x = 13)  (y = 3)) = (y = 3)  (x = 4*y + 1)  ((x  13)  (y  3)) = false Iteration 2:  is unsatisfiable Return value: [x  13, y  3]

33 Procedure  CP (  ) (z = 0)  (x = y * z) FormulasConcrete Values Abstract Values  S  ans [x  0,y  43,z  0] [x  0, y  43, z  0]

34 Procedure  CP (  ) FormulasConcrete Values Abstract Values  (x = 0)  (y = 43)  (z = 0)      ( ans )    ( ans )  ans  S (z = 0)  (x = y * z) [x  0,y  43,z  0] [x  0, y  43, z  0]

35 Example:  CP ((z = 0)  (x = y * z)) Initialization: ans :=   := (z = 0)  (x = y * z) Iteration 1: S := [x  0, y  43, z  0] // A satisfying store ans :=    ([x  0, y  43, z  0]) = [x  0, y  43, z  0]  (ans) = (x = 0)  (y = 43)  (z = 0)  := (z = 0)  (x = y*z)   ((x=0)  (y=43)  (z=0)) = (z = 0)  (x = y*z)  (y  43)

36 Procedure  CP (  ) (z = 0)  (x = y * z)  (y  43) FormulasConcrete Values Abstract Values  S  [x  0,y  46,z  0] [x  0, y  43, z  0] [x  0, y  46, z  0]

37 Procedure  CP (  ) (z = 0)  (x = y * z)  (y  43) FormulasConcrete Values Abstract Values  S  [x  0, y  T, z  0] ans (x = 0)  (z = 0)   (x = 0)  (z = 0) 

38 Example:  CP ((z = 0)  (x = y * z))...  = (z = 0)  (x = y * z)  (y  43) Iteration 2: S := [x  0,y  46,z  0] // A satisfying store ans := [x  0,y  43,z  0]   ([x  0,y  46,z  0]) = [x  0, y  43, z  0]  [x  0,y  46,z  0] = [x  0, y  T, z  0]  (ans) = (x = 0)  (z = 0)  := (z=0)  (x=y*z)  (y  43)   ((x=0)  (z=0)) = false Iteration 3:  is unsatisfiable Return value: [x  0, y  T, z  0]

39   (a)  T  The Idea Behind Best =  T   FormulasT Abstract Values  (a)    (a)  a

40   (a)  T  The Idea Behind Best =  T   FormulasT Abstract Values  (a)    (a)  a

41   (a)  T  The Idea Behind Best =  T   FormulasT Abstract Values  (a)    (a)    a ans

42   (a)  T  The Idea Behind Best =  T   FormulasT Abstract Values  (a)    (a)    a ans

43 Procedure Best Best(two-store-formula T, abs-store a) { ans’ :=  ’  :=  (a)  T while (  is satisfiable) { Select a store pair (S,S ’) such that (S,S ’)   ans’ := ans’   ’(S ’)  :=    ’(ans’) } return ans’ }

44 Best( (x ’ = y * z)  (y ’ = y)  (z ’ = z), [x  T, y  T, z  0] ) Initialization: ans ’ :=  ’  := (z = 0)  (x ’ = y * z)  (y ’ = y)  (z ’ = z) Iteration 1: (S,S ’ ) := [x  5, y  17, z  0, x ’  0, y ’  17, z ’  0]

45   (a)  T  The Idea Behind Best =  T   Formulas T Abstract Values  (a)    (a)  a [x  5, y  17, z  0] [ x ’  0, y ’  17, z ’  0]

46 Best( (x ’ = y * z)  (y ’ = y)  (z ’ = z), [x  T, y  T, z  0] ) Initialization: ans ’ :=  ’  := (z = 0)  (x ’ = y * z)  (y ’ = y)  (z ’ = z) Iteration 1: (S,S ’ ) := [x  5, y  17, z  0, x ’  0, y ’  17, z ’  0] ans ’ := [x’  0, y’  17, z’  0]  ’ (ans ’ ) = (x ’ = 0)  (y ’ = 17)  (z ’ = 0)  := (z = 0)  (x ’ = y*z)  (y ’ = y)  (z ’ = z)  (y ’  17)

47 Best( (x ’ = y * z)  (y ’ = y)  (z ’ = z), [x  T, y  T, z  0] ) Iteration 2: (S,S ’ ) := [x  12, y  99, z  0, x ’  0, y ’  99, z ’  0] ans ’ := [x’  0, y’  17, z’  0]  [x’  0, y’  99, z’  0] = [x’  0, y’  T, z’  0]  ’ (ans ’ ) = (x ’ = 0)  (z ’ = 0)  := (z = 0)  (x ’ = y * z)  (y ’ = y)  (z ’ = z)  (y ’  17)  ( (x ’  0)  (z ’  0)) = false Iteration 3:  is unsatisfiable Return value: [x’  0, y’  T, z’  0]

48 Best( y = x  next, ) u1u1 x u r[x]r[x] r[x]r[x] u4u4 x r[x]r[x] r[x]r[x] r[x]r[x]r[x]r[x] u1u1 u2u2 u3u3 x’x’ r[x]’,r[y]’r[x]’,r[y]’ r[x]’,r[y]’r[x]’,r[y]’ r[x]’,r[y]’r[x]’,r[y]’ r[x]’r[x]’ y’y’ u2u2 x u r[x],r[y] u1u1 r[x]r[x] y...  (y ’ (v)   v 1 : x(v 1 )  n(v 1,v)) ...

49 Predicate Abstraction y := 3 x := 4*y + 1  B 1  B 2   B 3   B 4   B 5   B 6 [x  13, y  3] { B 1  (y = 1), B 2  (y = 3), B 3  (y = 4), B 4  (x = 1), B 5  (x = 3), B 6  (x = 4) } y = 3  x  {1, 3, 4} [x  13, y  3]

50 Three Value-Spaces Formulas Abstract Values Concrete Values (y ≠ 1)  (y = 3)  (y ≠ 4)  (x ≠ 1)  (x ≠ 3)  (x ≠ 4)  (  B1, B2,  B3,  B4,  B5,  B6) [x  5, y  3] [x  0, y  3] [x  17, y  3] 

51 Three Value-Spaces Formulas Abstract Values Concrete Values (y ≠ 1)  (y = 3)  (y ≠ 4)  (x ≠ 1)  (x ≠ 3)  (x ≠ 4)  (  B1, B2,  B3,  B4,  B5,  B6) (  B1, B2,  B3,  B6) α (y ≠ 1)  (y = 3)  (y ≠ 4)  (x ≠ 4) T[x := x+1] αTαT

52 Predicate Abstraction Abstract values (  B1, B2,  B3,  B4,  B5,  B6) Apply , which performs  symbolically (y ≠ 1)  (y = 3)  (y ≠ 4)  (x ≠ 1)  (x ≠ 3)  (x ≠ 4) Apply  T, which implements α  T

53 α PA : Most-Precise Abstract Value [Predicate Abstraction] Formulas Abstract Values Concrete Values (y = 3)  (x = 4*y + 1) (  B1, B2,  B3,  B4,  B5,  B6) α PA

54 α PA : Most-Precise Abstract Value [Predicate Abstraction]  PA (  ) = false  j = 1 k B j if    j is valid  B j if    j is valid true otherwise if  is unsatisfiable otherwise  PA ((y = 3)  (x = 4*y + 1)) =  B 1, B 2,  B 3,  B 4,  B 5,  B 6 (y = 3)  (x = 4*y + 1)   (y = 1) (y = 3)  (x = 4*y + 1)  (y = 3) (y = 3)  (x = 4*y + 1)   (y = 4)

55 α PA : Most-Precise Abstract Value [Predicate Abstraction]  PA (  ) = false  j = 1 k B j if    j is valid  B j if    j is valid true otherwise if  is unsatisfiable otherwise (y = 3)  (x = 4*y + 1)   (x = 1) (y = 3)  (x = 4*y + 1)   (x = 3) (y = 3)  (x = 4*y + 1)   (x = 4)  PA ((y = 3)  (x = 4*y + 1)) =  B 1, B 2,  B 3,  B 4,  B 5,  B 6

56 Procedure  PA vs. General  Concrete Values Formulas Abstract Values  PA ii Formulas Concrete Values Abstract Values ii S  iS  i S  ans i = ans i-1   ( S ) ans i-1   ( ans i-1 )  

57 Conclusions Requirements –Finite-height abstract domain –Theorem prover that returns a satisfying structure (store) –  (S) =  s  S  (S) –Symbolic-concretization operation (  )  (  ) – best abstract value that represents  Best(T,a) – best abstract transformer –Best(T 1 ; T 2 ;...; T k, a) – best abstract transformer for a basic block

58

59 Clients of Abstract Interpretation p: if (x == y*z) then S 1 else S 2 fi + At p, [x  0, y  T, z  0] holds p: S 1 Querying an abstract value:  (x = y*z)  ( [x  0, y  T, z  0] ) = true?

60 The Most-Precise Answer to a Query [Definition]  (a) = true if S   for all S   (a) false if S   for all S   (a) ? otherwise true if  (a)     false if  (a)     ? otherwise  (a) =

61 Quiz true if  (a)     false if  (a)     ? otherwise  (a) =  ( [x  0, y  T, z  0] ) = {[x  0, y  0, z  0], [x  0, y  1, z  0], [x  0, y  2, z  0],...} What is the value of  (y = 1)  ( [x  0, y  T, z  0] )?  (y = 1)  ( [x  0, y  T, z  0] ) = ?

62 Quiz true if  (a)     false if  (a)     ? otherwise  (a) =  ( [x  0, y  T, z  0] ) = {[x  0, y  0, z  0], [x  0, y  1, z  0], [x  0, y  2, z  0],...} What is the value of  (x = y*z)  ( [x  0, y  T, z  0] )?  (x = y*z)  ( [x  0, y  T, z  0] ) = true

63 The Most-Precise Answer to a Query [Implementation] true if  (a)   is valid false if  (a)   is valid ? otherwise  (a) = What is the value of  (x = y*z)  ( [x  0, y  T, z  0] )?  ( [x  0, y  T, z  0] ) = (x = 0)  (z = 0)  (x = y*z)  ( [x  0, y  T, z  0] ) = true Is (x = 0)  (z = 0)  (x = y*z) valid? Is (x = 0)  (z = 0)  (x  y*z) valid? yes no

64 The Most-Precise Answer to a Query [Implementation] true if  (a)   is valid false if  (a)   is valid ? otherwise  (a) =  ( [x  0, y  T, z  0] ) = (x = 0)  (z = 0) What is the value of  (y = 1)  ( [x  0, y  T, z  0] )?  (y = 1)  ( [x  0, y  T, z  0] ) = ? Is (x = 0)  (z = 0)  (y = 1) valid? Is (x = 0)  (z = 0)  (y  1) valid? no

65 “Canonical Abstraction” u1u1 u2u2 u3u3 u4u4 x u1u1 x u node u1 (w) = x(w)  ¬y(w)  r[x](w)  ¬r[y](w) node u (w) = ¬ x(w)  ¬y(w)  r[x](w)  ¬r[y](w) r[x]r[x] r[x]r[x]  v 1,v 2 : node u1 ( v 1 )  node u ( v 2 )  v 1 ≠ v 2   v : node u1 ( v )  node u ( v ) ... r[x]r[x] r[x]r[x] r[x]r[x]r[x]r[x]

66 “Canonical Abstraction” u1u1 u2u2 u3u3 u4u4 x u1u1 x u node u1 (w) = x(w)  ¬y(w)  r[x](w)  ¬r[y](w) node u (w) = ¬ x(w)  ¬y(w)  r[x](w)  ¬r[y](w) r[x]r[x] r[x]r[x]  v 1,v 2 : node u1 ( v 1 )  node u ( v 2 )  v 1 ≠ v 2   v : node u1 ( v )  node u ( v ) ... r[x]r[x] r[x]r[x] r[x]r[x]r[x]r[x]

Download ppt "Symbolic Implementation of the Best Transformer Thomas Reps University of Wisconsin Joint work with M. Sagiv and G. Yorsh (Tel-Aviv) [TR-1468, Comp. Sci."

Similar presentations

Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Abstract Interpretation Part II

Abstract Interpretation Part II
The Logic of Quantified Statements

The Logic of Quantified Statements
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
1 Logic Logic in general is a subfield of philosophy and its development is credited to ancient Greeks. Symbolic or mathematical logic is used in AI. In.

1 Logic Logic in general is a subfield of philosophy and its development is credited to ancient Greeks. Symbolic or mathematical logic is used in AI. In.
Models and Propositional Logic In propositional logic, a model in general simply fixes the truth value – true or false – for every proposition symbol.

Models and Propositional Logic In propositional logic, a model in general simply fixes the truth value – true or false – for every proposition symbol.
CS Department Fireside Chat All are welcome! Wed Nov 18, 5-6pm, Ols 228e/236d Kim Hazelwood and Wes Weimer Meet and ask them questions in a non-academic.

CS Department Fireside Chat All are welcome! Wed Nov 18, 5-6pm, Ols 228e/236d Kim Hazelwood and Wes Weimer Meet and ask them questions in a non-academic.
1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.

1 Cover Algorithms and Their Combination Sumit Gulwani, Madan Musuvathi Microsoft Research, Redmond.
Conditional statements and Boolean expressions. The if-statement in Java (1) The if-statement is a conditional statement The statement is executed only.

Conditional statements and Boolean expressions. The if-statement in Java (1) The if-statement is a conditional statement The statement is executed only.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.

Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 5: Axiomatic Semantics II Roman Manevich Ben-Gurion University.
1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.

1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov.

Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov.
1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program.

1 Iterative Program Analysis Part I Mooly Sagiv Tel Aviv University Textbook: Principles of Program.
1 Iterative Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Iterative Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.

Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 2.5.

Interprocedural Analysis Noam Rinetzky Mooly Sagiv Tel Aviv University Textbook Chapter 2.5.
PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.

PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.
¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.

¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.
Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.

Administrative stuff On Thursday, we will start class at 11:10, and finish at 11:55 This means that each project will get a 10 minute presentation + 5.

Similar presentations

Ads by Google